Posted
by
Soulskillon Saturday May 10, 2014 @11:33AM
from the you-can-trust-us dept.

An anonymous reader writes "The U.S. Department of Justice says it needs greater authority to hack remote computers in the course of an investigation. The agency reasons that criminal operations involving computers are become more complicated, and argues that its own capabilities need to scale up to match them. An ACLU attorney said, 'By expanding federal law enforcement's power to secretly exploit "zero-day"' vulnerabilities in software and Internet platforms, the proposal threatens to weaken Internet security for all of us.' This is particularly relevant in the wake of Heartbleed — it's been unclear whether the U.S. government knew about it before everyone else did. This request suggests that the DOJ, at least, did not abuse it — but it sure looks like they would've wanted to. You can read their request starting on page 499 of this committee meeting schedule."

You might not want to use something like this, at least you do not want to use it against criminals who themselves have a background in IT and especially IT security. Else you might be in for a nasty surprise, namely that they're employing a tripwire system that waits for someone trying to hack them as an early warning system.

In other words, your attempt to hack the criminals doubles as a "the feds are coming" flare.

That depends very much on what level of crime we are talking about. I would imagine that most crime is at a level where the situation you suggested is not a problem.

Also, I would imagine that a sophicsticated crime syndicate is in at least as much risk of being hacked by rivals and vigilantes as by the government, so unless you are doing it in such a way that they can figure out who you are, such a tripwire might not help much. Of course, it is perfectly plausible that the feds would not employ much sophi

If a criminal runs their books offline with no net connection, using a USB flash drive for physical transportation or moving encrypted data to an online PC, tripwire may not be needed.

It wouldn't take much to scare criminals into moving their unencrypted stuff offline, then the DOJ has hosed themselves since all the juicy stuff they wanted easier access to is now inaccessible unless physical attacks are used.

Even the clueless criminals, once they see the Feds are wanting to hack into their systems will start getting their friends who know what they are doing and updating things.

It isn't hard to run the second set of books on an offline computer with a F/OSS operating system, an office suite that doesn't need activation, and USB flash drives for moving data. With a VM server like KVM, VirtualBox, or VMWare workstation, any programs that need Windows can run on a hacked copy.

Even the clueless criminals, once they see the Feds are wanting to hack into their systems will start getting their friends who know what they are doing and updating things.

I don't necessarily disagree with what you are saying but you cannot really advertise a job to secure a criminal enterprise. What you are left with is either relying on only those you already know which might not be very cutting edge or seeking someone specific out and hoping they don't turn rat on you.

In the former, I will just say that I don't know how many screwed up systems and wide open home networks I have seen installed by someone's rocket scientist kid, nephew, neighbor, work IT, church buddy, or whatever that had more WTF things going on than anything correct. Even following people sporting walls full of certifications and bragging about how good they are because of them sometimes turn out to be almost worthless for even simple tasks when following them into a small business. Those are usually the most dangerous- screwed up too. I usually find them running unpatched windows 200x servers directly open to the internet and half the ports opened up because they wanted remote access or something in the network needed it. They are often sporting more infections and malware than a porn surfing teens computer- because no one ever logs onto them to see the 5 million IE pop ups and error messages until something goes horribly bad and they just reboot thinking "I fixed it again".

I'm thinking most criminals that aren't just doing it because of opportunity will already be into something like what you describe. A lot of people claim to know what they are doing but fail in spectacular ways.

The tripwire in this, is the use of it itself. "Reasonable Doubt" http://en.wikipedia.org/wiki/R... [wikipedia.org] being the legal tripwire. The DOJ hacks a computer with a zero day exploit proving beyond reasonable doubt that the computer in question could be hacked and substantiating reasonable doubt about the users guilt as another criminal organisation could have been secretly using the computer to commit crimes via that same zero day exploit. Now this doesn't even touch the idea that the very first and foremost acti

Wait a minute. Are you saying there should be built in backdoors to accommodate them?

And the 90s? What leads you to believe it was better then, when the democrats were pushing for clipper chips, V-chips, and other restrictions on encryption? I say we have it much better now, now that we have confirmed the government is running outlaw spy agencies, and that might provide the above mentioned incentives to actually do something

I'd say we have it better now, because crypto isn't "illegal" like it was when ITAR was the law of the land. However, because online connections are required, coupled with layers of complexity added to even the humble desktop, the crypto may be good, but the key is still stored under the doormat for anyone to fetch.

I try not to use crypto, but I can see a future, such as an invasion of this land, or total banning of knowledge from the hands of anyone and full intellectual property dictatorship, where you have to pay 2 cents for every word uttered etc, where it would be necessary to use encryption, together with burying your computer/disks in the backyard, and only digging it out once in a while for updates, or to get some really important knowledge off of them that you forgot, and even then encryption may not be such

And the 90s? What leads you to believe it was better then, when the democrats were pushing for clipper chips, V-chips, and other restrictions on encryption?

Here's what was better: people were smart enough in the 90s to not let them do it.

Also, even the government had to get a warrant to tap a phone and call it anything remotely like "legal".

Yeah, they did pass ITAR regulation, which was really dumb, and very bad, but that only applied to exports. It didn't have anything at all to do with our internal communications. With FISA, in effect they're doing something kind of resembling ITAR on crypto but far worse, turning it on their own people.

They weren't smart enough to vote the bums out, and now we have what we have because of it. And just because they "didn't let them do it", it doesn't mean they didn't do it anyway. The spy agencies were just as corrupt then as they are now. The only difference between then and now is that it can be done in broad daylight because... terrorism. The submissive population has been fairly constant.

They weren't smart enough to vote the bums out, and now we have what we have because of it. And just because they "didn't let them do it", it doesn't mean they didn't do it anyway.

No, they didn't do it anyway. This discussion was about V-chips and Clipper Chips. The Clipper Chip, for example, was a chip that was supposed to be put in every phone in America -- by law -- supposedly to "encrypt" your conversation and make it "more secure".

Nobody who knew anything about it in those days thought it was a good idea. And they said so.

But people post 9-11 got all scared and let the government pass all kinds of shitty laws, in spite of warnings from the people who knew better. And we ar

Yes, they did. They just gave it a different name, and didn't discuss it publicly. The unwritten "agreement" is that strong encryption will not be available to the public. And people were no smarter then either. They still overwhelmingly voted for republicans and democrats, who were just as crooked then as now. So the trust issue is moot. The only difference is that they had to act more covertly until they got their "Pearl Harbor". I can assure you nothing has changed aside from

including other countries; I did not notice anything in the article restricting this to computers in the USA. Other countries might not agree with the USA DOJ allowing computers in their countries to be cracked -- thus the USA cops/investigators will be conducting criminal acts in other countries -- how does that make them different from what the USA wanted to grab Gary McKinnon [wikipedia.org] for ?

If the US DOJ attacked my computers I would absolutely retaliate. Hack then back, delete everything, take the whole network down and cripple them as badly as possible to neutralize that threat. Then report the incident to the police and file a civil suite for damages. Try to get them extradited to the UK to stand trial.

The US has said hacking is an act of war. A few cruise missiles aimed at DOJ headquarters seems like a reasonable, proportionate response. Maybe some drone strikes against high ranking DOJ st

If you (or myself) do the same thing, it's illegal, and we're gonna be prosecuted. The law is the same for everyone (at least it should be). I'm sick & tired of that shit. Police installing cameras (without warrant) to spy on people, inside their homes, warrantless wiretapping and every other thing that is *ILLEGAL* for the common people.

If it's illegal for me to do it, it's illegal for them to do it. And yes, I hope it blows up in their faces.

Sue them? Of course not. We should be able to bring severe criminal charges against them. Twenty year minimum for anyone complicit in such activities. The watchers have to be kept on a very tight leash.

The funny part is that they will claim you created and released the virus in order to justify their shenanigans in the first place. It's like being arrested for resisting arrest before you were ever under arrest. And yes, that has happened where people get busted for resisting arrest and there was never any underlying reason for the arrest before being arrested for resisting arrest.

That's why you never resist an arrest. Cops will often go on fishing expeditions, to see if you have anything to hide, or a reason to run and evade them. Just routine type checks. Such as going through a yellow light, that's turning red too soon. It's not really a big deal, but it's enough for the cop to stop you, and if you attempt to flee, then he will chase you down for not stopping, but if you stop, he'll let you go, over something that even he thinks is minor. Then when he chases you down and you resis

There are a few instances I know of where someone was arrested for resisting arrest before an arrest ever happened.

The one that is the most egregious is where a guy started videoing a cop who stopped someone near him. He pulled out a camera and started taking video of the entire thing. The cop let the other person go after a few minutes then came over and ordered him to give his camera to him. He replied with "why" and the cop tackled him, handcuffed him and arrested him for resisting arrest. I'm not sure i

"hacking computers", or "placing trojans" and other such things primarily do one thing: They make evidence useless. Because you can't prove anymore that you did not plant it, that you didn't change anything and that you did not open a backdoor for a third party.

How stupid can you get? And why haven't the forensic specialists of the DOJ told them what their request really would mean?

I've got some other great ideas in the same vein:- Drop cleanliness regulations for DNA testing labs- Don't require physical ev

I have indirectly worked on the US PAT act (back in mid-2000), and supported the work that we did. However, while I had issues (it was the neo-cons that psuhed for NSA to go un-monitored, so that they would not have to take responsibilities; spineless trash), I had no issue with it being the NSA. They have NO ENFORCEMENT capabilities. They had no branch that allowed them to enforce any laws. I am sorry, but as such, the NSA was NOT breaking the constitution since they could only pass on the information.